Privacy Policy

Data Controller: OFORO LTD, Company No. 16787568, registered office at Unit 8 Lyon Road, Milton Keynes, England, MK1 1EX. ICO registration: pending.

Data Protection Officer (DPO): dpo@nxted.ai. Appointed under Article 37 UK GDPR because our core processing includes large-scale processing of Article 9 special category data (biometric data via Nxted Capture).

EU Representative (Article 27 EU GDPR): contact details published on this page once appointed; in the meantime EU data subjects may contact our DPO.

Our role depends on the data set:

• Controller for: contributor and contributor-applicant data; capture-subject footage; Client account holders' contact data; website visitor analytics.
• Processor for: personal data embedded in Client uploads to Expert evaluation (e.g. names or identifiers contained in the AI outputs the Client asks us to evaluate). The terms in the Data Processing Agreement govern that processing.

We rely on the following lawful bases under Article 6 UK GDPR:

• Contract (Art 6(1)(b)) - to deliver the Services to Clients and engage Contributors.
• Legitimate interests (Art 6(1)(f)) - for service improvement, fraud prevention, security, and limited analytics. Our balancing assessment is available on request.
• Legal obligation (Art 6(1)(c)) - to comply with tax, accounting, anti-money-laundering and other statutory duties.
• Consent (Art 6(1)(a) + Art 9(2)(a)) - for biometric footage collected via Nxted Capture, and for non-essential cookies.

Egocentric video collected through Nxted Capture is treated as Article 9 UK GDPR special category data from the moment of capture. Our lawful basis is the data subject's explicit consent (Article 9(2)(a) UK GDPR and section 6 of India's DPDP Act 2023).

• To deliver the Services and onboard you to projects.
• To match Contributors with suitable projects.
• To process payments and meet our tax obligations.
• To detect, investigate and prevent fraud, abuse, and security incidents.
• To respond to data subject requests, legal claims and regulator enquiries.
• To improve our services (anonymised metadata only; we do not train AI models on identifiable personal data).

Under the UK GDPR and EU GDPR you have the right to:

• Access your personal data (Article 15)
• Rectify inaccurate data (Article 16)
• Erase your data where the legal grounds apply (Article 17)
• Restrict processing (Article 18)
• Data portability (Article 20)
• Object to processing, including profiling (Article 21)
• Not be subject to a solely automated decision with legal or similarly significant effect (Article 22) - note our matching engine is decision-support, not solely automated
• Withdraw consent at any time, where consent is the lawful basis (Article 7(3))

Send requests to dpo@nxted.ai. We respond within one month (extendable to three for complex requests, with notice). We will verify your identity before responding. There is no fee unless the request is manifestly unfounded or excessive.

The Services are delivered from the United Kingdom with a contributor network in India. This means we transfer personal data:

• From the UK to India - protected by the UK International Data Transfer Agreement (IDTA) issued under section 119A of the Data Protection Act 2018.
• From the EU to the UK - protected by the European Commission adequacy decision for the UK (28 June 2021, renewed 2025).
• From the EU to India - protected by EU Standard Contractual Clauses (Commission Decision 2021/914) with the UK Addendum where applicable.
• From the UK or EU to the US - only where the recipient is on the EU-US Data Privacy Framework or subject to UK SCCs.

A copy of the relevant transfer mechanism and our Transfer Risk Assessment is available on request to dpo@nxted.ai.

We apply the technical and organisational measures described in our Security Whitepaper, including encryption at rest (AES-256) and in transit (TLS 1.3), mandatory MFA, role-based access control, network segmentation between application and biometric data stores, and regular penetration testing.

We notify the ICO of personal data breaches within 72 hours where required by Article 33 UK GDPR, and notify affected data subjects without undue delay where Article 34 applies.

See our Cookie Policy for details and to manage your preferences.

The Services are not directed at children. Contributors must be at least 18 years old. We do not knowingly collect data of minors; please contact our DPO if you believe we have.

If you have a concern, please contact our DPO first. You also have the right to lodge a complaint with a supervisory authority:

• UK: Information Commissioner's Office (ico.org.uk), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
• EU: your local supervisory authority (list at edpb.europa.eu).
• India: the Data Protection Board of India, under the DPDP Act 2023.

We may update this policy. Material changes are notified by email at least 14 days before they take effect. The version history is available at the foot of this page on request.